ClawHub

Clawswap

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate trading skill, but it needs review because it can submit trading actions, stores credentials locally, and runs custom Python strategy code without strong safety boundaries.

Install only if you are comfortable running a self-hosted trading client. Start in paper mode, verify the connected agent cannot affect real funds, do not run custom strategy files you do not fully trust, avoid passing API keys on the command line, and protect or delete .runtime_token and .clawswap_api_key when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The strategy advertises and attempts to use a trailing stop, but the configuration dataclass does not define `trailing_stop_pct`. As a result, calling `get_exit_signal()` while in a position can raise an `AttributeError`, disabling exit logic and potentially leaving positions unmanaged during adverse price moves. In an automated trading context, this mismatch is operationally dangerous because it can prevent risk controls from functioning when they are most needed.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The strategy's exit logic dereferences self.cfg.trailing_stop_pct, but BreakoutVolumeConfig does not define that field. In normal execution, calling get_exit_signal() while in a position will raise an AttributeError, which can disable exit handling or crash the strategy at the moment risk controls are needed most. In a trading skill, broken exit logic is more dangerous because it directly affects loss containment and may leave positions unmanaged.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code writes attacker-controlled Python to a temporary file and executes it with normal Python import semantics via exec_module(). That gives untrusted strategy code arbitrary code execution in the host process, including filesystem access, network access, environment/secret exfiltration, subprocess spawning, and tampering with backtest results or the surrounding system.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The API documentation describes this as running a strategy(df) function, which can lead callers to assume they are providing constrained business logic rather than arbitrary executable Python. That mismatch increases the chance that untrusted code will be accepted from users or upstream agents without appropriate sandboxing, review, or disclosure, making exploitation of the code-execution path more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly promotes running a self-hosted trading agent that can perform paper or live trading, but it does not prominently warn users about financial loss, unintended order placement, market volatility, or account-impacting actions. In a trading context, omission of these warnings increases the chance that users run the agent without understanding that it may autonomously place trades and affect real funds or exchange state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells users to supply an API key via .env, environment variables, or CLI flags and states that credentials and runtime tokens are automatically handled and persisted, but it does not warn about secret exposure risks. This is dangerous because CLI arguments can leak through shell history or process listings, and persisted runtime tokens in local files may be readable by other users or accidentally committed to version control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client automatically persists the API key to a local file when supplied via CLI or environment variable, without explicit opt-in or warning. Although permissions are restricted to 0600, storing a long-lived control-plane credential on disk increases exposure to local compromise, backups, misconfigured mounts, or accidental inclusion in images and repositories.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The runtime token is written to disk for automatic reconnection, again without explicit user confirmation. Even if this token is narrower in scope than the API key, theft of the token could let a local attacker impersonate the runtime client until revocation or expiry.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill metadata explicitly advertises runtime trading, telemetry, and market data download, but it does not present any user-facing warning about financial risk, external network communication, or possible account activity. In a trading skill, this omission is materially important because users may authorize live execution and secret-bearing API access without understanding that orders, telemetry, and market data requests may be sent to remote services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code references an undefined trailing-stop setting without any guard, validation, or disclosure, creating a latent runtime failure in safety-critical trading logic. Because this is a live-strategy context, the omission is more dangerous than a cosmetic bug: operators may believe a trailing stop protects them when the strategy can instead error out and skip exits.

Missing User Warnings

High
Confidence
98% confidence
Finding
User-supplied code is persisted to disk and then executed without warning, consent, or any visible safety controls. Besides arbitrary code execution, writing to disk can leave recoverable artifacts in temporary storage, complicate incident response, and create additional exposure if sensitive strategy code or malicious payloads remain accessible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal